Script to block sender domain

moyorakkhi · 04-23-2011, 04:29 AM

Hello,

In our mail server we are taking lots of hits. In the maillog there's a hell of rejected mail like these:

Code:

Apr 23 04:35:13 mail1 postfix/smtpd[31700]: NOQUEUE: reject: RCPT from unknown[119.153.14.231]: 554 <bob@domainname.net>: Recipient address rejected: User unknown in local recipient table; from=<hareme.com@shareme.com> to=<bob@domainname.net> proto=ESMTP helo=<localhost>

I Have a script which search for the IP and block those. I'm having problem if IP block the RCPT IP's. Instead i want to block the sender domain, like in this example, shareme.com. What's shall i modify in my script to do this? Thanks

Code:

#!/bin/bash
IPT=/sbin/iptables
LIMIT=10
cd /admin
# first get one minute of log
grep "`date +"%b %d %H:%M:" --date="1 minutes ago"`" /var/log/maillog > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`
if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp
fi
done < tmp1
rm -f minutelog
rm -f tmp1

EricTRA · 04-23-2011, 04:43 AM

Hello,

I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with

Code:

IPA=$(nslookup shareme.com |grep -A1 "shareme.com" | grep Address | awk -F' ' '{ print $2 }')
iptables -A INPUT -p tcp --dport 25 -s $IPA/16 -j REJECT

Hope it helps.

Kind regards,

Eric

moyorakkhi · 04-23-2011, 05:07 AM

Quote:

Originally Posted by EricTRA

Hello,

I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with

Code:

IPA=$(nslookup shareme.com |grep -A1 "shareme.com" | grep Address | awk -F' ' '{ print $2 }')
iptables -A INPUT -p tcp --dport 25 -s $IPA/16 -j REJECT

Hope it helps.

Kind regards,

Eric

Hi Eric,

Thanks for you feedback. I need help on extracting the domain name from the maillog. With the current script i can extract the RCPT IP not the domain name. Thanks again.

EricTRA · 04-23-2011, 05:28 AM

Hello,

Quick and dirty. You're already extracting the necessary lines from your log, right? Pipe the line into this, saving it in a variable and then block using iptables:

Code:

cat $line | awk -F'=' '{ print $2 }' | sed -n -e 's/^\([^>]*\)>.*/\1/p' |awk -F'@' '{ print $2 }'

I tested it by putting your example in a file and running:

Code:

cat testtext | awk -F'=' '{ print $2 }' | sed -n -e 's/^\([^>]*\)>.*/\1/p' |awk -F'@' '{ print $2 }'

and the result was:

Code:

shareme.com

If you put it in a variable you can get the IP as mentioned above with nslookup and block it using iptables. Hope it helps.

Kind regards,

Eric

Noway2 · 04-23-2011, 09:46 AM

How about something like fail2ban which will watch the logs and if a particular sender triggers too many errors they get blocked, at least temporarily. of course you define what too many errors and temporarily are. This is usually enough to get these kinds of script - bots to go away. You can then create a blacklist in Iptables and permanently ban ones that are repeat offenders. Another suggestion might be to use rate limiting on Iptables based upon new connections to port 25. I also believe that Postfix also has rate limiting features that can be enabled, but it looks like you want something that works at a lower level.